While I was recently helping a client mitigate a data breach, there was another team on the premises ensuring that the organization met the standards for a popular security compliance certificate. This is not the first time that I have encountered certifying bodies signing off on an organization's compliance even as it was under cyberattack. This ironic situation illustrates the confusing role that the growing number of different compliance certifications play. On the one hand, these certifications increase security efforts, but it is also clear they are not a blanket solution, as certified companies are attacked all the time.
While SOC2 and ISO 27001 are among the best known certifications, there are dozens of voluntary compliance schemes that companies can adopt. In fact, companies often have more than one certificationbecause there is no real international standard, meaning that organizations seek out additional compliance certifications when entering new markets in order to satisfy demands of clients, customers, and partners. With SOC2 taking up to three months to implement, while ISO takes up to six months, companies are spending large amounts of human and financial resources on these certifications. So it is time to ask if this endeavor is worth it.
Certifications Can Bring Unexpected Benefits
There is no doubt that such schemes offer benefits — but not necessarily the ones that organizations expect. Most importantly, they raise cybersecurity awareness throughout an organization, often in a bottom-up manner.
Because potential customers and clients are routinely asking about certifications, it is often an organizations'marketing and sales teams that approach their CISO to request seeking out certifications. Whether a certification is ultimately pursued — and what actual security benefits, if any, it brings — this momentum is important and creates stronger links between cybersecurity teams and the rest of the business. These relationships can help lay the foundation for more holistic cybersecurity practices and policies, and emphasize to the entire business the importance of investing in cybersecurity.
Requests for certifications from sales, marketing and other teams also illustrate to the CISO and the entire C-suite how cybersecurity can be a business enabler, and a marketing tool; for example, if an organization has a certain certification they can highlight that to appeal to potential customers and clients.
In fact, many organizations require that their service-providers, from payroll solutions to delivery services, have a certain compliance certificate. So not having such a certification could mean, for example, that a vehicle fleet management company will not win a contract from a startup that wants transportation services. This helps companies understand in general how any cybersecurity spending and practices should be aligned with business goals and not happen in a vacuum or with a pure-compliance mindset.
False Sense of Security
But organizations seeking out these certifications must also realize that they can only do so much. Certified organizations are attacked all the time. The number of companies with ISO certifications has more than quadrupled in the last decade, but attacks continue to rise. This is partly because in the current environment, nothing can completely prevent attacks. While certifications are a starting point, they do not make up for holistic security assessments that map out the most probable attack routes, the most valuable and vulnerable targets, and then focus on protecting those assets.
In addition, these certifications and audits can be implemented in a wide-ranging manner, and it is difficult to tell how thorough they actually are. This is because there are hundreds of different companies that offer official certification for SOC2, ISO 27001, and others. Although there are basic guidelines, their methods differ, and, frankly, some probably do a better job than others.
What Should Organizations Do?
At the end of the day, businesses should seek out the certifications that are popular in their markets. It is a way to build security awareness and momentum inside an organization, and also creates a vehicle for integrating an emphasis on cybersecurity into marketing and sales efforts, as well as fostering an environment where cybersecurity spending is linked to business goals. On a practical level, many certifications, including ISO, can prevent fines or reputational damage in the event of an attack because they demonstrate to the public that the organization was taking preventative steps.
At the same time, businesses should make sure the organization they select for any certification does a thorough job. For example, there should be actual penetration or other testing performed as part of the evaluation, not just a questionnaire that is completed about testing done in the past.
Most importantly, organizations cannot let their guard down even after they have completed the long, tedious and costly process of certification. They must continue to engage in ongoing risk assessment, focus on protecting the most valuable parts of a business and use proactive defensive measures, like threat hunting and ethical hacking.
In sum, the value of these certifications is derived by viewing them as starting points, rather than end goals. These certifications are often critical in advancing the conversation and the priority of cybersecurity in organizations.